Hi, I have a Modbus device connected to an ABB CI867 interface using a Modbus/TCP converter. Connection keeps on dropping every 2 seconds. I have some issue understanding the WireShark analysis. Could anyone help me? Here is the Scan: https://www.cloudshark.org/captures/e383e599f1b4 Thank you for your help asked 19 Mar '14, 17:43  Beber_NC |
2 Answers:
Did you notice that the last message before the FIN packet in each session contains "RTU check CRC failed, Receive query again" ? answered 19 Mar '14, 22:43  mrEEde |
As per the answer by @mrEEde the RTU (172.19.197.32) is returning some ASCII text after its response to the query request, and it's likely that the Modbus master is choking on this and subsequently closing the connection. The text "RTU check CRC failed, Receive query again" looks like some form of diagnostic output from the RTU which shouldn't be sent over the data connection. Note that when using Modbus/TCP the standard Modbus CRC isn't used, Another observation in your capture is duplicated packets, probably due to your capture setup involving mirroring or spanning switch ports. These dups can be removed by using editcap. A final observation is that your capture also contains traffic not relevant to your question, that leaks details about your network environment, e.g. netbios-ns packets. You might want to filter your captures a little better before posting them publicly, although I don't think you've let anything too bad out this time. answered 20 Mar '14, 03:13  grahamb ♦ |
